Kentico Xperience RCE exploited in the wild (CVE-2025-2749)

Actively exploited in the wild - CVE-2025-2749 is a high remote code execution vulnerability in Kentico Xperience through 13.0.178 that lets authenticated Staging Sync Server users upload ASP.NET scripts for full server compromise. Immediate patching to the latest version is critical.

Overview

A high-severity vulnerability in Kentico Xperience content management systems is confirmed to be under active exploitation. Tracked as CVE-2025-2749, this flaw allows authenticated users of the Staging Sync Server to execute arbitrary code on the underlying server.

Vulnerability Details

The vulnerability stems from insufficient security controls in the file upload functionality of the Staging Sync Server. An authenticated attacker can perform a path traversal attack, uploading malicious files to unintended locations on the server’s filesystem. By uploading server-side executable content, such as ASP.NET scripts, the attacker can achieve full remote code execution (RCE) within the application’s context. This grants them the ability to steal data, deploy malware, or gain persistent access to the network.

The vulnerability affects Kentico Xperience versions through 13.0.178. The CVSS v3.1 base score is 7.2 (High), with the attack being network-based and requiring no user interaction. While the attack requires a valid user account with Staging Sync Server access, the potential for complete system compromise is severe.

Impact

Successful exploitation leads to full compromise of the affected Kentico Xperience instance. Attackers can view, modify, or delete all website content and files. From this position, they can pivot to attack other internal systems, install ransomware, or steal sensitive data stored within the CMS or connected databases. Given its presence on the CISA Known Exploited Vulnerabilities (KEV) catalog, organizations must treat this as an immediate threat.

Remediation and Mitigation

The primary remediation is to update Kentico Xperience to a patched version. Kentico has addressed this vulnerability in releases subsequent to version 13.0.178. Administrators must apply the latest vendor-provided update without delay.

If immediate patching is not possible, consider these temporary mitigation steps:

• Restrict network access to the Staging Sync Server interface to only trusted administrative IP addresses.
• Audit and minimize user accounts with Staging Sync Server permissions, ensuring strict adherence to the principle of least privilege.
• Monitor server filesystems for unexpected file creation, particularly in web-accessible directories.

For more on the consequences of unpatched vulnerabilities, review recent breach reports.

Security Insight

CVE-2025-2749 highlights the persistent danger of file upload functionalities in web applications, a common vector in many high-profile attacks. Its exploitation mirrors trends where attackers target enterprise CMS platforms, which are often perimeter-facing and manage critical data. The inclusion in CISA’s KEV catalog shortly after disclosure suggests either widespread scanning or pre-existing exploit kits, underscoring the need for rapid patch cycles even for vulnerabilities requiring authentication.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs